As of July 2018, the Australian Digital Health Agency (ADHA) appears to have no detailed policy or process for releasing My Health Record data to support regulatory and legal requests.

The only internal policy guidance appears to have been the agency's commitment, stated publicly, not to release data except "where the agency has no discretion", such as when responding to a court order.

This state of affairs was revealed in documents released on Friday under a Freedom of Information request made on July 25 by infectious diseases physician Dr Trent Yarwood, who represents Future Wise on e-health and privacy matters.

"I request a copy of any documents (for example a work instruction or procedure) which applies to release of myHealthRecord data held by Digital Health Australia as the myHealthRecord Act in response to a request from an enforcement body under Section 70(1) of the My Health Record Act," he wrote.

"I request the final version of the document, which is in effect today, 25th July 2018."

After a certain amount of to-and-fro, which Yarwood has detailed in a blog post, only two redacted documents were released.

It outlines the ADHA's authority to release data for law enforcement and other purposes under Section 70 of the My Health Records Act 2012; notes the existing policy; and says the board should "provide advice on whether it supports this position going forward".

There seems to have been concerns about public perception. Even though the powers to release data for law enforcement are separate from the so-called "secondary use powers and process", something that is still to be set up, the discussion paper notes that "this distinction would not be recognised by the broader community".

"If the agency were to release MHR information for law enforcement purposes, it is possible that the community could confuse this with our commitments about implementing the Framework for Secondary Use with the Australian Institute of Health and Welfare (AIHW), including governance and other protections."

"The board discussed this matter with the agency executive and requested further advice on the implications to the agency as the system operator [the term used in the My Health Records Act]," it said.

The minutes record as an action item that the board be provided with advice to answer "Who is the system operator?" and a "policy that describes the framework for responding to data requests".

This was due to be done by the board's next meeting in August.

All of this raises a number of questions, says Yarwood.

"There is no official procedure, but just a position statement from the board," he wrote.

"This, depending on how charitable you are feeling, would either directly contradict the minister's repeated and emphatic statements that there was and it didn't allow the release of information; or at the very least mean that the interpretation of 'policy' seems to be loose enough that 'feelpinion from the board' now counts as a policy."

Another explanation could be that a policy or procedure exists, but failed to turn up as the documentation management of ADHA is "pretty terrible", Yarwood posited.

"It's of significant concern to me that the board is seeking advice as to ADHA's role as the system operator. Surely this should be a pretty fundamental issue for them to have some grasp of."

Legislation currently making its way through Parliament should clarify the situation.

"Overall, I think the interpretation of 'the policy says no' is a bit of stretch, and I'll be watching carefully to make sure that the amendments to the My Health Record Act achieve the objectives of protecting access to patient data without judicial oversight," he wrote.

In response to questions from ZDNet about the state of this policy and written procedures, an ADHA spokesperson reaffirmed that the agency "has not and will not release any documents without a court/coronial or similar order", pointing to their privacy policy.

"The government has moved to make a number of amendments to the My Health Records Act 2012 to ensure no information stored in the My Health system can be released to police or other government agencies without a court/ coronial or similar order. This matches the existing Agency operating policy," they said.

"I can assure you that no documents have been released in the last six years and none will be released in the future without a court order. The amendments will remove any ambiguity and ensure the Agency's operating policy is enshrined in legislation."

An Australian senate committee has recommended passing the My Health Records Amendment (Strengthening Privacy) Bill 2018, but Labor senators have lashed out at the government's "stubborn refusal" to fix further problems.

Australia has spent billions of dollars for 'nothing really useful', according to leading internet policy commentator Mike Godwin, and the proposed anti-encryption laws are 'inhumane, wrong, anti-democratic'.

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.